Evading the “man in the middle”

Posted: July 22, 2008 in Posts, Rethink Remote Access

In response to our discussion yesterday about “Man in the Middle Attacks,” Rene points us to this article in Wired, which describes how Colombian government forces ‘masqueraded’ as FARC revolutionaries, in order to release hostages. “That was another example of MITM attack,” says Rene.  “This time used for a good purpose!”

On the subject of practical precautions against more nefarious MITM attacks, he says:

 

You can help a user by adding mechanisms to assist in certificate verification in applications. Not only simple verification such as identities, but further nail them down to verify serial numbers/certificate fingerprints, verify issuer’s certificates and even the whole ‘chain’ / hierarchy of certification authorities involved and deny connectivity if something is amiss in this chain. 

Further security can be leveraged by using online certificate checks (OCSP) or offline certificate revocation lists (CLRs) (of both user/client [EPRLs] as well as issuers [ARLs]). This should be done from two sides; the client should verify the gateway’s identity and the gateway should verify the client’s identity! 

Furthermore, using main mode, or also known as identity protection mode to set up an IPsec based VPN prevents a malicious user from ‘sniffing for valid identities’ as mentioned in the article, with certificate exchange/verification of both the initiator (client) and responder (gateway) making it very difficult for a MITM attack.  The identities are made known only after an encrypted session/channel has been established.

 

Comments
  1. […] is actually data passing between the device and the hotspot, there is room for attack (your classic man-in-the-middle). The acquisition and accounting of time online serves solely so the provider can get paid for use […]

  2. […] information, and it’s important to make sure no one can gain access to it.  This time, hacks, man in the middle attacks (MITM) and other scams are widespread.  Here are some tips to keep get rid of one tax season […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s